This certificate confirms that your team has assessed dependencies directly used in their project for known critical vulnerabilities and for mutual licence compatibility.
This certificate does not replace the analysis of transitive dependencies and licence selection, or imply distribution rights. It is a first step towards licence governance.
A full specification of the Self-Assessed Dependencies certificate is also available (the document is available for GN5.2 participants).
List all direct dependencies used in the project. For multi-module projects, list dependencies per module.
Identify the licence for each dependency, and confirm their mutual compatibility.
Check for known critical security vulnerabilities, and address them.
Identify any other third-party intellectual property.
Document all of the above.
The self-assessment required should be straightforward for your team. Below is a description of the steps you need to follow:
Compile a comprehensive list of all direct software dependencies used in your project. These can typically be extracted from dependency, manifest, or build files such as package.json, MANIFEST.MF, or pom.xml.
If the project contains multiple modules, list dependencies for each module separately. Components that are separated for practical or architectural reasons, but are not intended for use in other projects, do not require their own dependency lists. Produce lists for all modules you developed and intend to use together, even when loosely coupled (e.g. internal services).
Transitive dependencies may also be reviewed and documented, but this is optional.
Confirm that each direct dependency is under a valid open source or proprietary licence. Ensure that the licences are mutually compatible for use in your software.
Review each direct dependency for known critical security vulnerabilities. Tools such as Software Composition Analysis (SCA) scanners or the GÉANT SCA service may be employed, including existing reports from these tools if still relevant. You may also consult sources such as CVE, NIST, or similar for comprehensive vulnerability information about your dependencies.
Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets. Identifying, assessing, and documenting the inclusion of third-party IP at the time of integration is crucial, as they may not be detected by SCA or dependency management tools.
Record each direct dependency or third-party IP, including name, version, licence, and any known vulnerabilities. This can be placed in a NOTICE or README file (recommended but optional).
Inform the Licence Management Team that your project meets the certificate requirements. See the Contact us section for getting information how to communicate with the Team.
Upon approval, your project will receive the Self-Assessed Dependencies certificate, which will be visible in the GÉANT Software Catalogue.
You may reference the certificate in your documentation, metadata, project page, or communications. The Licence Management Team will provide guidance on how to do this.
Keep dependency, licence, and vulnerability data up to date. The certificate is valid for five years, covering all released versions within that time if issues are promptly addressed.
Reassess and submit a renewal request before the five-year validity ends, or sooner if there are significant changes.
Ensure continued compliance to avoid revocation. Common triggers include:
Mutually incompatible licences of dependencies
Unresolved critical dependency vulnerabilities
Complaints raised by dependency authors
Non-response to complaints or investigations